User Management API
These endpoints require a user JWT unless noted otherwise.
Core profile and security endpoints
| Method | Path | Description |
|---|---|---|
GET |
/api/user |
Get the authenticated user profile |
PATCH |
/api/user |
Update the authenticated user profile |
POST |
/api/user/set-password |
Add password auth to an OAuth-only account |
POST |
/api/user/change-password |
Change the current password |
GET |
/api/subscription |
Get current subscription context |
GET |
/api/provider-token/:provider |
Get a service-scoped provider access token |
Identity linking
| Method | Path | Description |
|---|---|---|
GET |
/api/user/identities |
List linked login identities |
POST |
/api/user/identities/:provider/link |
Start linking a login identity |
DELETE |
/api/user/identities/:provider |
Unlink a login identity |
Connected accounts and provider-token workflows
These endpoints power the newer third-party connected-account model and the completion flow used when a service requests a provider token with additional scopes.
| Method | Path | Description |
|---|---|---|
GET |
/api/user/linked-accounts |
List connected accounts and available providers |
POST |
/api/user/linked-accounts/:provider/link |
Start linking a connected account |
POST |
/api/user/linked-accounts/:account_id/grants |
Grant a connected account to a service |
DELETE |
/api/user/linked-accounts/:account_id/grants/:service_id |
Revoke a service grant |
DELETE |
/api/user/linked-accounts/:account_id |
Remove a connected account |
GET |
/api/user/provider-token-requests/:state |
Inspect a pending provider-token request |
POST |
/api/user/provider-token-requests/:state/complete |
Complete a provider-token request |
POST |
/api/user/provider-token-requests/:state/link |
Start linking the provider required by a pending request |
Hosted provider-token reauth
Services that call POST /api/service/provider-tokens may receive an action_required response with a reauth_url. That URL points to:
| Method | Path | Description |
|---|---|---|
GET |
/connect/provider-token/:state |
Start the hosted provider-token reauth/link flow |
This route is intentionally outside the AuthOS organization dashboard. It consumes the short-lived provider-token request state, starts the required provider OAuth flow with the original user/service/scope metadata, and returns the user to the service callback after AuthOS completes the grant.
The hosted route must not redirect an end user into organization creation, organization selection, or general connected-account management. If a service needs Microsoft To Do access, for example, the user should see Microsoft authorization and then return to the service, not the AuthOS admin console.
The authenticated /api/user/provider-token-requests/:state/* endpoints remain available for dashboard and SDK flows that already have the correct AuthOS user session. They are not required for the hosted service-return flow.
Example: list connected accounts
curl -X GET https://sso.example.com/api/user/linked-accounts \
-H "Authorization: Bearer {jwt}"
Example response:
{
"accounts": [
{
"id": "acct_123",
"provider": "github",
"provider_user_id": "12345",
"email": "user@example.com",
"display_name": "Octo User",
"scopes": ["repo", "read:user"],
"expires_at": null,
"status": "active",
"grants": []
}
],
"available_providers": [
{
"provider": "github",
"display_name": "GitHub",
"provider_type": "oauth2",
"scopes": ["user:email"],
"connect_supported": true
}
]
}
Example: complete a provider-token request
curl -X POST https://sso.example.com/api/user/provider-token-requests/state_123/complete \
-H "Authorization: Bearer {jwt}" \
-H "Content-Type: application/json" \
-d '{
"connected_account_id": "acct_123"
}'
Expected response:
{
"redirect_url": "https://app.acme.com/callback?provider_token_request=completed"
}
Hosted provider-token reauth redirects directly to the stored service callback instead of returning this JSON response.